Directory Path Traversal Vulnerability in NI VeriStand with vsmodel Files

Overview

A directory path traversal vulnerability exists when loading a vsmodel file in NI VeriStand that may result in remote code execution.  Successful exploitation requires an attacker to get a user to open a specially crafted .vsmodel file.  This vulnerability affects VeriStand 2024 Q2 and prior versions.

 

This vulnerability is identified as CVE-2024-6791.

Contents

Mitigation Guidance

NI strongly recommends upgrading the affected software to mitigate this vulnerability.  Refer to the Affected Products section for information on upgrading these products. 

Affected Products

 

CVSS Score

CVE-2024- 6791– 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

NI would like to thank kimiya working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.

Additional Resources

  • CVE-2024-6791 - National Vulnerability Database
  • CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Product VersionMitigation
VeriStand 2024Upgrade to NI VeriStand 2024 Q3 or later from NI Package Manager or Software Downloads   
VeriStand 2023Upgrade to NI VeriStand 2023 Q4 Patch 1 or later from NI Package Manager or Software Downloads  
VeriStand 2021Upgrade to NI VeriStand 2021 R3 Patch 2 or later from NI Package Manager or Software Downloads
VeriStand 2020 and priorNot in Mainstream Support

Was this information helpful?

Yes

No